In /member/soft_add.php of dedecms, the input template parameter $servermsg1 is not strictly filtered, so that the attacker can construct the template closing tag and realize the template injection for GETSHELL.
Open the file /member/soft_add.php and search (about line 154):
- $urls .="{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
Replace with:
- if(preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1)!=1){
- $urls .="{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
- }